3ee44040c6
In a heirarchical FIB performing a unicast RPF check would require the traversal of the data-plane graph to seek out all the adjacency objects and then read those to find their interface. This is not efficient. Instead, for each path-list we construct a list of unique input interfaces and link this uRPF-list against the entry in the prefix table. In the data-plane the uRPF list can be retrieved from the load-balance lookup result and the RPF check is a simple and efficient walk across the minimal interface list. The uRPF-list is maintained as the routing heirarchy changes, in a similar way to the data-plane object graph. We also provide a knob to allow an arbitrary prefix to pass the loose check. Change-Id: Ie7c0ae3c4483ef467cfd5b136ee0315ff98ec15b Signed-off-by: Neale Ranns <nranns@cisco.com>
87 lines
1.4 KiB
Plaintext
87 lines
1.4 KiB
Plaintext
|
|
create loop int
|
|
|
|
set int state loop0 up
|
|
set int ip addr loop0 10.10.10.10/24
|
|
|
|
packet-generator new {
|
|
name transit-deny
|
|
limit 1
|
|
node ip4-input
|
|
size 64-64
|
|
no-recycle
|
|
data {
|
|
UDP: 1.2.3.4 -> 2.2.2.2
|
|
UDP: 3000 -> 3001
|
|
length 128 checksum 0 incrementing 1
|
|
}
|
|
}
|
|
|
|
packet-generator new {
|
|
name transit-allow
|
|
limit 1
|
|
node ip4-input
|
|
size 64-64
|
|
no-recycle
|
|
data {
|
|
UDP: 1.1.1.1 -> 2.2.2.2
|
|
UDP: 3000 -> 3001
|
|
length 128 checksum 0 incrementing 1
|
|
}
|
|
}
|
|
|
|
packet-generator new {
|
|
name transit-allow-from-excemption
|
|
limit 1
|
|
node ip4-input
|
|
size 64-64
|
|
no-recycle
|
|
data {
|
|
UDP: 11.11.12.13 -> 2.2.2.2
|
|
UDP: 6000 -> 6001
|
|
length 128 checksum 0 incrementing 1
|
|
}
|
|
}
|
|
|
|
packet-generator new {
|
|
name for-us-allow-from-excemption
|
|
limit 1
|
|
node ip4-input
|
|
size 64-64
|
|
no-recycle
|
|
data {
|
|
UDP: 11.11.12.13 -> 10.10.10.10
|
|
UDP: 6000 -> 6001
|
|
length 128 checksum 0 incrementing 1
|
|
}
|
|
}
|
|
|
|
packet-generator new {
|
|
name for-us-allow
|
|
limit 1
|
|
node ip4-input
|
|
size 64-64
|
|
no-recycle
|
|
data {
|
|
UDP: 1.1.1.1 -> 10.10.10.10
|
|
UDP: 3000 -> 3001
|
|
length 128 checksum 0 incrementing 1
|
|
}
|
|
}
|
|
|
|
tr add pg-input 100
|
|
|
|
set int ip addr pg0 10.10.11.10/24
|
|
|
|
set interface ip source-check pg0 strict
|
|
|
|
ip route add 1.1.1.1/32 via 10.10.11.11 pg0
|
|
ip route add 2.2.2.2/32 via 10.10.10.11 loop0
|
|
|
|
ip urpf-accept 11.11.0.0/16
|
|
|
|
#set interface ip source-check pg0 strict del
|
|
#set interface ip source-check pg0 loose
|
|
|
|
#ip urpf-accept del 11.11.0.0/16
|